Experts Point to Weaknesses in NAC Security

Black Hat Briefings: Security experts gathered at the Black Hat conference maintain that NAC systems, which are growing in popularity among enterprises, are vulnerable to a range of attacks.

LAS VEGASWhile Network Admission Control technologies are being heralded as a major step forward in helping to secure corporate IT infrastructures, security researchers contend that the tools remain open to a range of threats.
At the Black Hat Briefings security conference being held here July 31 through Aug. 3, experts identified a slew of potential techniques that hackers can employ to circumvent existing NAC technologies, including those offered by major vendors such as Cisco Systems. Ofir Arkin, chief technology officer at network monitoring software maker Insightix, of Framingham, Mass., highlighted a litany of backdoors and vulnerabilities he claims are present in many NAC installations.
Among the most critical weaknesses applicable to NAC environments are those revolving around the use of DHCPs (Dynamic Host Configuration Protocols), which provide configuration guidelines for devices seeking to access a network. Since DHCP is one of the easiest methods for installing NAC infrastructuresa project that remains admittedly tough for even the most mature IT organizationsattacks against the technique, including the use of static IPs (Internet Protocols) by attackers to secretly gain access to a network, are a widespread issue, Arkin said.

"At the end of the day, when youre looking at companies using DHCP, many also have other address bases for servers and different types of end users, and someone can easily bypass such a system by assigning a static IP address to their machine," Arkin said. "And the detection element [of DHCP] only scans the network at Layer 3, with no knowledge of the networks topology. That also leads to the existence of other uncovered venues that could be used to provide access to the network."

Machines connecting to DHCP-oriented NAC architectures are also required to use agent software for authentication, which is typically restricted to Windows-based operating systems.
Among the other NAC security issues highlighted by Arkin are those related to the use of so-called broadcast listeners, which are used to detect suspicious traffic on computing networks. Since companies often do not know where all their wireless switches may be and configuring the devices can be an arduous manual process, locking down all the potential security loopholes related to broadcast listeners is a challenging proposition that could leave some organizations exposed, he said.

"In most cases, 70 percent of a network is covered, but there are obvious weaknesses as companies often dont understand all details of their network, making it easy to circumvent defenses," said Arkin. "And the listeners are only looking for suspicious traffic. If you can appear to be legitimate, you can still get on the network and abuse the ability to set DNS, and then tunnel wherever you like."
The FTC wants enterprises to report spyware attacks, but what about the legal implications? Click here to read more.
Another potential NAC weak point highlighted in the presentation relates to so-called switch integration SNMP traps, which are used to analyze the MAC addresses of devices attempting to connect to networks and can be used to shut down ports when suspicious activity is detected. Reliance on the tools could lead companies to overlook discreet access venues, as the listeners cannot be used to authenticate wireless users and virtualization software could be used to mask underlying threats, among other issues.
Arkin also detailed what he sees as loopholes in Ciscos use of the 802.1x standard. While the model has strengths, especially when embedded into Ciscos networking gear, the expert said the system offers difficult management issues, such as working with legacy equipment and products from other vendors, which could leave corporations dependent on the technology exposed.
Black Hat attendees agreed that NAC has both promise and some downsides. While most recognize that NAC is in its early stages and will likely be improved over time as more companies adopt the technology, showgoers said theres a good chance the system will always have loopholes.
"Its pretty clear how easily these systems can be hacked," said Jeffrey Grant, a research engineer with Luna Innovations, in Blacksburg, Va. "More people are going to start attacking NAC as they see a return on investment from their work, and those companies that cant afford to configure their infrastructures most effectively will probably have serious issues."
Andrew Rikarts, a technical security officer at the Department of Veterans Affairs, which became the poster child for potential data leakage after the theft of a laptop computer from an employees home in June, said that despite its shortcomings, NAC will continue to be adopted by enterprises and smaller companies.
Click here to read more about the theft of the VAs laptop.
"Despite the shortcomings, I still think NAC will become a viable security model for 99 percent of the companies in the world, and were investing in it heavily," said Rikarts, who is based in Bay Pines, Fla. "The bigger the deployment gets, the harder it will be to make sure that all the elements trying to access the network are legitimate, but its a strong front line of defense."
Some Black Hat attendees said the key issue with NAC will be encouraging companies to understand that the technology is not a panacea and must be used in collaboration with other forms of network monitoring tools to be most effective. At least one said that NAC could become more effective if actively integrated with other security tools such as digital authentication certificates.
"Until you go further and require some form of digital certificate under NAC, there will be obvious opportunities for attack," said a 46-year-old former government IT security specialist at the show, who would only be identified by his screen name, KingHaroldBluetooth. "But at the very least, NAC adds another effective layer when applied correctly, and it will always take layers of technology to help eliminate as many potential vulnerabilities as possible."
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.